Having an issue figuring out how the all-zones option effect security if
applied to a physical interface and not VNI*. Attempting to configure a Solaris
10 U3 TX system with 2 NICs to route between CIPSO and UNLABELED traffic. We
have a server that does not understand CIPSO (192.168.1.100/24) that we access
through a route (192.168.2.100/24) that does not understand CIPSO. The Solaris
gateway “router” has an interface (192.168.2.1/24) that talks to the router.
The other interface on the Solaris gateway is (192.168.3.1/24). One labeled
zone exits called unclassified. We have attempted the following gateway
configurations but uncertain what this does to security since this is a TX
system.
1.Configured global with iprb0=192.168.12.1/24 and iprb1=192.168.13.1/24
Configured unclassified zone iprb0:1=192.168.2.1/24 and iprb1=192.168.3.1/24
If we start a ping from a Solaris TX CIPSO workstation (192.168.3.100) through
the gateway to 192.168.1.100 after 1500 pings communication stops. With this
setup we are unable to make the persistent route work (192.168.1.100
192.168.2.100).
2.Configured global with iprb0=192.168.2.1/24 all-zones and
iprb1=192.168.3.1/24 all-zones. Configured unclassified zone without any
network settings. This seems to work even without the unclassified zone booted.
Persistent routes and communication does not stop working. What does this do to
security of the system? All the documentation I have seen uses VNI interface
for the labeled zones to communicate to the global zone. Also looking at using
IPSec and not sure of what effect this will have?
Solaris 10 TX workstation 192.168.3.100
|
|
192.168.3.1
Solaris 10 TX gateway
192.168.2.1
|
|
192.168.2.100
NON-CIPSO Router
192.168.1.1
|
|
NON-CIPSO Server 192.168.1.100
This message posted from opensolaris.org
_______________________________________________
networking-discuss mailing list
[email protected]
